WEBVTT 00:00:00.000 --> 00:00:06.900 align:middle line:90% 00:00:06.900 --> 00:00:09.400 align:middle line:84% Welcome to the second part of World Wide Web 00:00:09.400 --> 00:00:11.390 align:middle line:90% Fundamental Session. 00:00:11.390 --> 00:00:13.160 align:middle line:84% In the next couple of minutes you 00:00:13.160 --> 00:00:16.280 align:middle line:84% will be introduced to the OWASP Top 10 Project and the latest 00:00:16.280 --> 00:00:19.010 align:middle line:84% published version of the awareness document. 00:00:19.010 --> 00:00:21.750 align:middle line:84% We will start with some facts about the project. 00:00:21.750 --> 00:00:24.560 align:middle line:84% Then we will do a walkthrough of the latest published 00:00:24.560 --> 00:00:25.740 align:middle line:90% version of the document. 00:00:25.740 --> 00:00:29.120 align:middle line:84% And we will close the session discussing how it is built. 00:00:29.120 --> 00:00:30.950 align:middle line:84% The project by its author's own words: 00:00:30.950 --> 00:00:33.890 align:middle line:84% "The OWASP top 10 is a standard awareness 00:00:33.890 --> 00:00:37.250 align:middle line:84% document for developers and web application security. 00:00:37.250 --> 00:00:40.310 align:middle line:84% It represents a broad consensus about the most critical 00:00:40.310 --> 00:00:43.580 align:middle line:84% security risks to web applications." 00:00:43.580 --> 00:00:46.640 align:middle line:84% The project is led by four well-known OWASP volunteers -- 00:00:46.640 --> 00:00:49.460 align:middle line:84% Andrew, Brian, Neil, and Torsten. 00:00:49.460 --> 00:00:52.280 align:middle line:84% With a few little changes since it was first published, 00:00:52.280 --> 00:00:53.960 align:middle line:84% the document brings security awareness 00:00:53.960 --> 00:00:56.010 align:middle line:90% to developers and managers. 00:00:56.010 --> 00:00:58.580 align:middle line:84% It was generally adopted by software industry. 00:00:58.580 --> 00:01:00.470 align:middle line:84% And there's always a huge expectation 00:01:00.470 --> 00:01:02.750 align:middle line:84% when the time comes for the next update. 00:01:02.750 --> 00:01:06.110 align:middle line:84% The document has been updated and published since 2003, 00:01:06.110 --> 00:01:09.260 align:middle line:84% and translated in several languages by volunteers. 00:01:09.260 --> 00:01:11.060 align:middle line:84% If you don't find yours, I challenge 00:01:11.060 --> 00:01:12.410 align:middle line:90% you to lead that effort. 00:01:12.410 --> 00:01:15.170 align:middle line:84% The more languages the document is translated into, 00:01:15.170 --> 00:01:17.180 align:middle line:84% the more people the message will reach. 00:01:17.180 --> 00:01:19.070 align:middle line:84% This is the project page where you'll 00:01:19.070 --> 00:01:22.700 align:middle line:84% find a quick overview of the latest published Top 10 as well 00:01:22.700 --> 00:01:24.740 align:middle line:90% as several other links. 00:01:24.740 --> 00:01:27.890 align:middle line:84% If you prefer to read the document in your own language, 00:01:27.890 --> 00:01:30.080 align:middle line:84% look for it in the Translation Efforts tab. 00:01:30.080 --> 00:01:36.170 align:middle line:90% 00:01:36.170 --> 00:01:38.090 align:middle line:84% If you're interested about the source 00:01:38.090 --> 00:01:40.280 align:middle line:84% or have a question or comment, then you 00:01:40.280 --> 00:01:42.246 align:middle line:90% should go to the GitHub repo. 00:01:42.246 --> 00:01:54.670 align:middle line:90% 00:01:54.670 --> 00:01:59.020 align:middle line:84% Better than talking, let's see how the document looks. 00:01:59.020 --> 00:02:01.420 align:middle line:84% This is the latest published version at the time 00:02:01.420 --> 00:02:04.010 align:middle line:90% this course is being recorded. 00:02:04.010 --> 00:02:06.950 align:middle line:84% The document structure hasn't changed that much, 00:02:06.950 --> 00:02:08.660 align:middle line:84% and you may expect future versions 00:02:08.660 --> 00:02:10.346 align:middle line:90% to keep the same structure. 00:02:10.346 --> 00:02:14.460 align:middle line:90% 00:02:14.460 --> 00:02:16.350 align:middle line:84% The Release Notes section provides 00:02:16.350 --> 00:02:19.890 align:middle line:84% relevant information about how that specific version was built 00:02:19.890 --> 00:02:21.930 align:middle line:84% and how does the final Top 10 compares 00:02:21.930 --> 00:02:24.190 align:middle line:90% with the previous version. 00:02:24.190 --> 00:02:26.195 align:middle line:84% Let's see how the top 10 security risks 00:02:26.195 --> 00:02:27.445 align:middle line:90% are presented in the document. 00:02:27.445 --> 00:02:30.540 align:middle line:90% 00:02:30.540 --> 00:02:33.870 align:middle line:84% Every security risk in the top 10 looks like this one. 00:02:33.870 --> 00:02:37.050 align:middle line:84% For the next 10 sessions, we will go through all the 10 00:02:37.050 --> 00:02:39.780 align:middle line:84% security risks, and we will exploit them 00:02:39.780 --> 00:02:43.050 align:middle line:84% in an intentionally vulnerable application. 00:02:43.050 --> 00:02:45.600 align:middle line:84% Let's now discuss how the Top 10 is built. 00:02:45.600 --> 00:02:47.920 align:middle line:84% The process starts with a public call for data, 00:02:47.920 --> 00:02:49.410 align:middle line:84% so that companies and individuals 00:02:49.410 --> 00:02:51.330 align:middle line:90% can contribute their data. 00:02:51.330 --> 00:02:53.820 align:middle line:84% Provided data should include some metadata, 00:02:53.820 --> 00:02:57.150 align:middle line:84% such as whether the results came from a human-assisted tool 00:02:57.150 --> 00:02:59.160 align:middle line:84% or a tool-assisted human approach 00:02:59.160 --> 00:03:01.320 align:middle line:84% and the list of vulnerabilities following 00:03:01.320 --> 00:03:03.570 align:middle line:84% the core Common Weakness Enumeration. 00:03:03.570 --> 00:03:07.170 align:middle line:84% Attribute to date is analysed and normalised and some may be 00:03:07.170 --> 00:03:11.070 align:middle line:84% subject of reclassification to group things in bigger buckets. 00:03:11.070 --> 00:03:12.930 align:middle line:84% Then comes the risk rating, which 00:03:12.930 --> 00:03:15.360 align:middle line:84% we will discuss in more detail in a few moments, 00:03:15.360 --> 00:03:18.270 align:middle line:84% but which is based on the OWASP risk assessment framework 00:03:18.270 --> 00:03:20.160 align:middle line:90% available at OWASP.org. 00:03:20.160 --> 00:03:23.100 align:middle line:84% A Top 10 draft is presented to the community for discussion 00:03:23.100 --> 00:03:25.110 align:middle line:84% and contributions, which you may expect 00:03:25.110 --> 00:03:27.510 align:middle line:90% to happen in the GitHub repo. 00:03:27.510 --> 00:03:29.790 align:middle line:84% With a table like this during our walkthrough 00:03:29.790 --> 00:03:34.620 align:middle line:84% of the document, each factor exploits ability, prevalence, 00:03:34.620 --> 00:03:38.550 align:middle line:84% detectability, and technical impact range from one (low) 00:03:38.550 --> 00:03:40.170 align:middle line:90% to three (high). 00:03:40.170 --> 00:03:42.150 align:middle line:84% Doing the simple math, you will get 00:03:42.150 --> 00:03:45.720 align:middle line:84% the risk rating used to sort of Top 10 security risks. 00:03:45.720 --> 00:03:47.910 align:middle line:84% Note that neither likelihood of the threat 00:03:47.910 --> 00:03:51.390 align:middle line:84% agent nor the business impact are taken into account. 00:03:51.390 --> 00:03:54.150 align:middle line:84% The later is business specific and each organization 00:03:54.150 --> 00:03:58.120 align:middle line:84% should decide how much security risk it is willing to accept. 00:03:58.120 --> 00:04:01.290 align:middle line:84% Factor ranges are given by the Top 10 team. 00:04:01.290 --> 00:04:05.400 align:middle line:84% Excitability and detectability are based on public CVs. 00:04:05.400 --> 00:04:08.190 align:middle line:84% Prevalence is computed from contributed data. 00:04:08.190 --> 00:04:10.830 align:middle line:84% And the technical impact is an estimation. 00:04:10.830 --> 00:04:12.930 align:middle line:84% When the final document is published, 00:04:12.930 --> 00:04:16.019 align:middle line:84% all this was extensively discussed among the community 00:04:16.019 --> 00:04:18.510 align:middle line:90% representing a broad consensus. 00:04:18.510 --> 00:04:20.399 align:middle line:84% In the next part, we will discuss 00:04:20.399 --> 00:04:23.120 align:middle line:90% how the world wide web works. 00:04:23.120 --> 00:04:25.000 align:middle line:90%